Keeping HIPAA Compliance Efforts Up to Date

Ken Lynch, Founder & CEO, Reciprocity

NOVEMBER 29, 2018

Back in 1996, the U.S. Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) to help protect individuals’ sensitive health information when they move from one employer to another. Then, in 2003, the Department of Health and Human Services (HHS) created the Privacy Rule to expand this coverage to any organization that maintains or has access to protected health information (PHI). This includes any information about health status, payment for healthcare and any medical services rendered, to name a few. In 2005, the Privacy Rule was extended to electronic PHI, or ePHI, as well.

What this means for businesses is that even software-as-a-service providers and human resources platforms must be in compliance with HIPAA regulations if their products are used to manage PHI. Here’s what you need to know about HIPAA compliance and how to manage it. Healthcare decision makers, meanwhile, must also ensure that their business associates are in compliance.

HIPAA Compliance Basics

The latest regulations break down HIPAA compliance into three primary categories:

Administrative Safeguards

This area refers to the specific policies and procedures your company or healthcare organization has put in place to monitor and verify compliance. The details of the policy should be tailored to the unique activities and data capabilities of your business.

Physical Safeguards

This category denotes the measures you have instituted to control which employees have access to your physical data storage areas. It is a good idea to restrict this access to only those who truly have need for it and to update access immediately following any personnel changes.

Technical Safeguards

If you transmit any PHI electronically, you’ll need to encrypt and protect that data in transit, bringing your IT department into your compliance efforts. Electronic communications are among the most common access points for hackers, so technical safeguards are critical for your organization.

Your organization must maintain compliance across all three areas in order to be deemed fully compliant. Failure to comply with the HIPAA regulations can result in severe penalties, including fines, civil litigation and even jail time. The Office for Civil Rights, a branch of HHS, oversees the implementation of the regulations and works to strengthen them over time.

Maximize Your Efforts with Continuous Monitoring

As hackers and other thieves continue to grow more sophisticated, it is no longer enough to simply measure your HIPAA compliance at a particular point in time; you need to engage in continuous monitoring to protect your customers successfully. You’ll need to evaluate the specific risks that could impact your organization so that you can implement the proper safeguards.

This includes monitoring those risks on an ongoing basis to detect any security incidents so that you can address them as quickly as possible. Hackers are devising new tactics and threats with each passing day, so proper compliance requires constant vigilance.

Monitoring your security efforts continuously is only half the battle, though. To maintain continuous compliance, you’ll also need to take action based on the information you uncover. This can include tasks like updating software to the latest versions, adding or revoking employee access as needed and changing passwords regularly. The more proactive you are in addressing any potential compliance issues, the easier it will be to maintain continuous compliance.

Automated Software Can Assist with HIPAA Compliance Management

You’ll have plenty of options available to you in terms of technology to help manage your HIPAA compliance. These automated software applications can monitor your system continuously, auditing it for any anomalies or potential breaches. This way, you’ll receive an alert immediately if anything looks suspicious, enabling you to take action right away to ensure your ongoing compliance and the protection of your customers.

Another way that automated compliance software can help is by documenting any incidents that occur, along with how your company addressed them. This will come in handy in the event that your organization is ever audited to ensure compliance. You’ll have detailed records of your company’s ongoing efforts to secure your customers’ PHI and ePHI.

HIPAA regulations aren’t likely to go away or become more lenient any time in the near future. In fact, the opposite is likely to be true. Getting your HIPAA compliance in order now will help you be as prepared as possible to implement even stronger measures in the future as needed. Your compliance software can grow and scale along with your business to ensure you stay compliant as consistently as possible.

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens.

Inside Digital Health™ delivers the information that healthcare decision makers and physicians need to confidently navigate the digital transformation. We bring you compelling stories about the institutions and individuals who are fomenting positive change — so you can join them in leveraging the tools of healthcare technology and leading the noble quest toward improving patient care and eliminating healthcare waste.